摘要
针对中心化域名安全扩展(Domain name system security extensions,DNSSEC)架构所导致的信任链复杂性和单边控制模式,提出了一种去中心化的DNSSEC公钥验证机制.该机制结合区块链结构、密码学累加器和共识算法设计,创新性地实现使用区块链技术的密钥绑定、轮转和验证操作,无需中心化权威节点即可使用可信公钥验证域名记录.进一步分析和实验表明,所提出的机制在保证密钥管理安全性的同时,提高了密钥验证的效率.
To solve the problem of the complexity of chain-of-trust and the unilateral governance caused by the centralized domain name system security extensions(DNSSEC)architecture,a decentralized DNSSEC public key verification mechanism is proposed.By introducing blockchain structure design,cryptographic accumulator,and consensus algorithm,the proposed mechanism gives radical new key binding,rotation,and verification operations leveraging blockchain technologies enables the use of trustful public key verification without any centralized authorities.Further analysis and experiments show that the proposed mechanism consistently perform the order of magnitude better key verification performance,as well as achieve a good trade-off between key management complexity and security.
作者
陈闻宇
李晓东
杨学
徐彦之
CHEN Wen-Yu;LI Xiao-Dong;YANG Xue;XU Yan-Zhi(Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190;University of Chinese Academy of Sciences,Beijing 100049;China Internet Network Information Center,Beijing 100190;Guangdong-Hong Kong-Macao Greater Bay Area(GBA)Research Innovation Institute for Nanotechnology,Guangzhou 510770)
出处
《自动化学报》
EI
CAS
CSCD
北大核心
2023年第4期731-743,共13页
Acta Automatica Sinica
基金
国家重点研发计划专项基金(2019YFB1804500)资助。
关键词
域名安全扩展
公钥基础设施
区块链
密码学累加器
Domain name system security extensions(DNSSEC)
public key infrastructure(PKI)
blockchain
cryptographic accumulator